CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9804 vulnerabilities reference this CWE, most recent first.
GHSA-XQQ8-XC8F-F7C4
Vulnerability from github – Published: 2025-02-27 21:32 – Updated: 2025-02-27 21:32In the Linux kernel, the following vulnerability has been resolved:
ath11k: free peer for station when disconnect from AP for QCA6390/WCN6855
Commit b4a0f54156ac ("ath11k: move peer delete after vdev stop of station for QCA6390 and WCN6855") is to fix firmware crash by changing the WMI command sequence, but actually skip all the peer delete operation, then it lead commit 58595c9874c6 ("ath11k: Fixing dangling pointer issue upon peer delete failure") not take effect, and then happened a use-after-free warning from KASAN. because the peer->sta is not set to NULL and then used later.
Change to only skip the WMI_PEER_DELETE_CMDID for QCA6390/WCN6855.
log of user-after-free:
[ 534.888665] BUG: KASAN: use-after-free in ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k] [ 534.888696] Read of size 8 at addr ffff8881396bb1b8 by task rtcwake/2860
[ 534.888705] CPU: 4 PID: 2860 Comm: rtcwake Kdump: loaded Tainted: G W 5.15.0-wt-ath+ #523 [ 534.888712] Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0067.2021.0528.1339 05/28/2021 [ 534.888716] Call Trace: [ 534.888720] [ 534.888726] dump_stack_lvl+0x57/0x7d [ 534.888736] print_address_description.constprop.0+0x1f/0x170 [ 534.888745] ? ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k] [ 534.888771] kasan_report.cold+0x83/0xdf [ 534.888783] ? ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k] [ 534.888810] ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k] [ 534.888840] ath11k_dp_rx_process_mon_status+0x529/0xa70 [ath11k] [ 534.888874] ? ath11k_dp_rx_mon_status_bufs_replenish+0x3f0/0x3f0 [ath11k] [ 534.888897] ? check_prev_add+0x20f0/0x20f0 [ 534.888922] ? __lock_acquire+0xb72/0x1870 [ 534.888937] ? find_held_lock+0x33/0x110 [ 534.888954] ath11k_dp_rx_process_mon_rings+0x297/0x520 [ath11k] [ 534.888981] ? rcu_read_unlock+0x40/0x40 [ 534.888990] ? ath11k_dp_rx_pdev_alloc+0xd90/0xd90 [ath11k] [ 534.889026] ath11k_dp_service_mon_ring+0x67/0xe0 [ath11k] [ 534.889053] ? ath11k_dp_rx_process_mon_rings+0x520/0x520 [ath11k] [ 534.889075] call_timer_fn+0x167/0x4a0 [ 534.889084] ? add_timer_on+0x3b0/0x3b0 [ 534.889103] ? lockdep_hardirqs_on_prepare.part.0+0x18c/0x370 [ 534.889117] __run_timers.part.0+0x539/0x8b0 [ 534.889123] ? ath11k_dp_rx_process_mon_rings+0x520/0x520 [ath11k] [ 534.889157] ? call_timer_fn+0x4a0/0x4a0 [ 534.889164] ? mark_lock_irq+0x1c30/0x1c30 [ 534.889173] ? clockevents_program_event+0xdd/0x280 [ 534.889189] ? mark_held_locks+0xa5/0xe0 [ 534.889203] run_timer_softirq+0x97/0x180 [ 534.889213] __do_softirq+0x276/0x86a [ 534.889230] __irq_exit_rcu+0x11c/0x180 [ 534.889238] irq_exit_rcu+0x5/0x20 [ 534.889244] sysvec_apic_timer_interrupt+0x8e/0xc0 [ 534.889251] [ 534.889254] [ 534.889259] asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 534.889265] RIP: 0010:_raw_spin_unlock_irqrestore+0x38/0x70 [ 534.889271] Code: 74 24 10 e8 ea c2 bf fd 48 89 ef e8 12 53 c0 fd 81 e3 00 02 00 00 75 25 9c 58 f6 c4 02 75 2d 48 85 db 74 01 fb bf 01 00 00 00 13 a7 b5 fd 65 8b 05 cc d9 9c 5e 85 c0 74 0a 5b 5d c3 e8 a0 ee [ 534.889276] RSP: 0018:ffffc90002e5f880 EFLAGS: 00000206 [ 534.889284] RAX: 0000000000000006 RBX: 0000000000000200 RCX: ffffffff9f256f10 [ 534.889289] RDX: 0000000000000000 RSI: ffffffffa1c6e420 RDI: 0000000000000001 [ 534.889293] RBP: ffff8881095e6200 R08: 0000000000000001 R09: ffffffffa40d2b8f [ 534.889298] R10: fffffbfff481a571 R11: 0000000000000001 R12: ffff8881095e6e68 [ 534.889302] R13: ffffc90002e5f908 R14: 0000000000000246 R15: 0000000000000000 [ 534.889316] ? mark_lock+0xd0/0x14a0 [ 534.889332] klist_next+0x1d4/0x450 [ 534.889340] ? dpm_wait_for_subordinate+0x2d0/0x2d0 [ 534.889350] device_for_each_child+0xa8/0x140 [ 534.889360] ? device_remove_class_symlinks+0x1b0/0x1b0 [ 534.889370] ? __lock_release+0x4bd/0x9f0 [ 534.889378] ? dpm_suspend+0x26b/0x3f0 [ 534.889390] dpm_wait_for_subordinate+ ---truncated---
{
"affected": [],
"aliases": [
"CVE-2022-49238"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:01:00Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nath11k: free peer for station when disconnect from AP for QCA6390/WCN6855\n\nCommit b4a0f54156ac (\"ath11k: move peer delete after vdev stop of station\nfor QCA6390 and WCN6855\") is to fix firmware crash by changing the WMI\ncommand sequence, but actually skip all the peer delete operation, then\nit lead commit 58595c9874c6 (\"ath11k: Fixing dangling pointer issue upon\npeer delete failure\") not take effect, and then happened a use-after-free\nwarning from KASAN. because the peer-\u003esta is not set to NULL and then used\nlater.\n\nChange to only skip the WMI_PEER_DELETE_CMDID for QCA6390/WCN6855.\n\nlog of user-after-free:\n\n[ 534.888665] BUG: KASAN: use-after-free in ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k]\n[ 534.888696] Read of size 8 at addr ffff8881396bb1b8 by task rtcwake/2860\n\n[ 534.888705] CPU: 4 PID: 2860 Comm: rtcwake Kdump: loaded Tainted: G W 5.15.0-wt-ath+ #523\n[ 534.888712] Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0067.2021.0528.1339 05/28/2021\n[ 534.888716] Call Trace:\n[ 534.888720] \u003cIRQ\u003e\n[ 534.888726] dump_stack_lvl+0x57/0x7d\n[ 534.888736] print_address_description.constprop.0+0x1f/0x170\n[ 534.888745] ? ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k]\n[ 534.888771] kasan_report.cold+0x83/0xdf\n[ 534.888783] ? ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k]\n[ 534.888810] ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k]\n[ 534.888840] ath11k_dp_rx_process_mon_status+0x529/0xa70 [ath11k]\n[ 534.888874] ? ath11k_dp_rx_mon_status_bufs_replenish+0x3f0/0x3f0 [ath11k]\n[ 534.888897] ? check_prev_add+0x20f0/0x20f0\n[ 534.888922] ? __lock_acquire+0xb72/0x1870\n[ 534.888937] ? find_held_lock+0x33/0x110\n[ 534.888954] ath11k_dp_rx_process_mon_rings+0x297/0x520 [ath11k]\n[ 534.888981] ? rcu_read_unlock+0x40/0x40\n[ 534.888990] ? ath11k_dp_rx_pdev_alloc+0xd90/0xd90 [ath11k]\n[ 534.889026] ath11k_dp_service_mon_ring+0x67/0xe0 [ath11k]\n[ 534.889053] ? ath11k_dp_rx_process_mon_rings+0x520/0x520 [ath11k]\n[ 534.889075] call_timer_fn+0x167/0x4a0\n[ 534.889084] ? add_timer_on+0x3b0/0x3b0\n[ 534.889103] ? lockdep_hardirqs_on_prepare.part.0+0x18c/0x370\n[ 534.889117] __run_timers.part.0+0x539/0x8b0\n[ 534.889123] ? ath11k_dp_rx_process_mon_rings+0x520/0x520 [ath11k]\n[ 534.889157] ? call_timer_fn+0x4a0/0x4a0\n[ 534.889164] ? mark_lock_irq+0x1c30/0x1c30\n[ 534.889173] ? clockevents_program_event+0xdd/0x280\n[ 534.889189] ? mark_held_locks+0xa5/0xe0\n[ 534.889203] run_timer_softirq+0x97/0x180\n[ 534.889213] __do_softirq+0x276/0x86a\n[ 534.889230] __irq_exit_rcu+0x11c/0x180\n[ 534.889238] irq_exit_rcu+0x5/0x20\n[ 534.889244] sysvec_apic_timer_interrupt+0x8e/0xc0\n[ 534.889251] \u003c/IRQ\u003e\n[ 534.889254] \u003cTASK\u003e\n[ 534.889259] asm_sysvec_apic_timer_interrupt+0x12/0x20\n[ 534.889265] RIP: 0010:_raw_spin_unlock_irqrestore+0x38/0x70\n[ 534.889271] Code: 74 24 10 e8 ea c2 bf fd 48 89 ef e8 12 53 c0 fd 81 e3 00 02 00 00 75 25 9c 58 f6 c4 02 75 2d 48 85 db 74 01 fb bf 01 00 00 00 \u003ce8\u003e 13 a7 b5 fd 65 8b 05 cc d9 9c 5e 85 c0 74 0a 5b 5d c3 e8 a0 ee\n[ 534.889276] RSP: 0018:ffffc90002e5f880 EFLAGS: 00000206\n[ 534.889284] RAX: 0000000000000006 RBX: 0000000000000200 RCX: ffffffff9f256f10\n[ 534.889289] RDX: 0000000000000000 RSI: ffffffffa1c6e420 RDI: 0000000000000001\n[ 534.889293] RBP: ffff8881095e6200 R08: 0000000000000001 R09: ffffffffa40d2b8f\n[ 534.889298] R10: fffffbfff481a571 R11: 0000000000000001 R12: ffff8881095e6e68\n[ 534.889302] R13: ffffc90002e5f908 R14: 0000000000000246 R15: 0000000000000000\n[ 534.889316] ? mark_lock+0xd0/0x14a0\n[ 534.889332] klist_next+0x1d4/0x450\n[ 534.889340] ? dpm_wait_for_subordinate+0x2d0/0x2d0\n[ 534.889350] device_for_each_child+0xa8/0x140\n[ 534.889360] ? device_remove_class_symlinks+0x1b0/0x1b0\n[ 534.889370] ? __lock_release+0x4bd/0x9f0\n[ 534.889378] ? dpm_suspend+0x26b/0x3f0\n[ 534.889390] dpm_wait_for_subordinate+\n---truncated---",
"id": "GHSA-xqq8-xc8f-f7c4",
"modified": "2025-02-27T21:32:13Z",
"published": "2025-02-27T21:32:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49238"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/212ad7cb7d7592669c067125949e0a8e31ce6a0b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/400705c50bbf184794c885d1efad7fe9ccf1471a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XQVP-J58F-PJF5
Vulnerability from github – Published: 2024-04-17 12:32 – Updated: 2026-05-12 12:31In the Linux kernel, the following vulnerability has been resolved:
RDMA/srpt: Do not register event handler until srpt device is fully setup
Upon rare occasions, KASAN reports a use-after-free Write in srpt_refresh_port().
This seems to be because an event handler is registered before the srpt device is fully setup and a race condition upon error may leave a partially setup event handler in place.
Instead, only register the event handler after srpt device initialization is complete.
{
"affected": [],
"aliases": [
"CVE-2024-26872"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-17T11:15:09Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/srpt: Do not register event handler until srpt device is fully setup\n\nUpon rare occasions, KASAN reports a use-after-free Write\nin srpt_refresh_port().\n\nThis seems to be because an event handler is registered before the\nsrpt device is fully setup and a race condition upon error may leave a\npartially setup event handler in place.\n\nInstead, only register the event handler after srpt device initialization\nis complete.",
"id": "GHSA-xqvp-j58f-pjf5",
"modified": "2026-05-12T12:31:37Z",
"published": "2024-04-17T12:32:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26872"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6413e78086caf7bf15639923740da0d91fdfd090"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7104a00fa37ae898a827381f1161fa3286c8b346"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/85570b91e4820a0db9d9432098778cafafa7d217"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bdd895e0190c464f54f84579e7535d80276f0fc5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c21a8870c98611e8f892511825c9607f1e2cd456"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e362d007294955a4fb929e1c8978154a64efdcb6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ec77fa12da41260c6bf9e060b89234b980c5130f"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XQVV-5QPX-CJJ8
Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2025-10-31 12:30VMware ESXi (7.0 before ESXi70U1b-17168206, 6.7 before ESXi670-202011101-SG, 6.5 before ESXi650-202011301-SG), Workstation (15.x before 15.5.7), Fusion (11.x before 11.5.7) contain a use-after-free vulnerability in the XHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.
{
"affected": [],
"aliases": [
"CVE-2020-4004"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-20T20:15:00Z",
"severity": "HIGH"
},
"details": "VMware ESXi (7.0 before ESXi70U1b-17168206, 6.7 before ESXi670-202011101-SG, 6.5 before ESXi650-202011301-SG), Workstation (15.x before 15.5.7), Fusion (11.x before 11.5.7) contain a use-after-free vulnerability in the XHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine\u0027s VMX process running on the host.",
"id": "GHSA-xqvv-5qpx-cjj8",
"modified": "2025-10-31T12:30:19Z",
"published": "2022-05-24T17:34:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4004"
},
{
"type": "WEB",
"url": "https://www.vmware.com/security/advisories/VMSA-2020-0026.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XQWJ-JF37-7WP5
Vulnerability from github – Published: 2025-10-14 18:30 – Updated: 2025-10-14 18:30Use after free in Windows PrintWorkflowUserSvc allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2025-55690"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-14T17:15:50Z",
"severity": "HIGH"
},
"details": "Use after free in Windows PrintWorkflowUserSvc allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-xqwj-jf37-7wp5",
"modified": "2025-10-14T18:30:31Z",
"published": "2025-10-14T18:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55690"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55690"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XR34-PC3C-449F
Vulnerability from github – Published: 2025-12-19 09:30 – Updated: 2025-12-19 09:30A use-after-free vulnerability exists in the annotation handling of Foxit PDF Reader before 2025.2.1, 14.0.1, and 13.2.1 on Windows and MacOS. When opening a PDF containing specially crafted JavaScript, a pointer to memory that has already been freed may be accessed or dereferenced, potentially allowing a remote attacker to execute arbitrary code.
{
"affected": [],
"aliases": [
"CVE-2025-66495"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-19T07:16:02Z",
"severity": "HIGH"
},
"details": "A use-after-free vulnerability exists in the annotation handling of Foxit PDF Reader before 2025.2.1, 14.0.1, and 13.2.1 on Windows and MacOS. When opening a PDF containing specially crafted JavaScript, a pointer to memory that has already been freed may be accessed or dereferenced, potentially allowing a remote attacker to execute arbitrary code.",
"id": "GHSA-xr34-pc3c-449f",
"modified": "2025-12-19T09:30:28Z",
"published": "2025-12-19T09:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66495"
},
{
"type": "WEB",
"url": "https://www.foxit.com/support/security-bulletins.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XR3X-3M9H-JG3R
Vulnerability from github – Published: 2025-11-07 00:30 – Updated: 2025-11-12 18:31Use after free in Storage in Google Chrome prior to 141.0.7390.65 allowed a remote attacker to execute arbitrary code via a crafted video file. (Chromium security severity: High)
{
"affected": [],
"aliases": [
"CVE-2025-11460"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-06T23:15:35Z",
"severity": "HIGH"
},
"details": "Use after free in Storage in Google Chrome prior to 141.0.7390.65 allowed a remote attacker to execute arbitrary code via a crafted video file. (Chromium security severity: High)",
"id": "GHSA-xr3x-3m9h-jg3r",
"modified": "2025-11-12T18:31:05Z",
"published": "2025-11-07T00:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11460"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/446722008"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XR4H-93HJ-62Q2
Vulnerability from github – Published: 2024-09-10 18:30 – Updated: 2024-09-10 18:30Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-26186"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-10T17:15:16Z",
"severity": "HIGH"
},
"details": "Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability",
"id": "GHSA-xr4h-93hj-62q2",
"modified": "2024-09-10T18:30:44Z",
"published": "2024-09-10T18:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26186"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26186"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XR89-C9W4-G997
Vulnerability from github – Published: 2025-01-11 15:30 – Updated: 2025-10-17 15:30In the Linux kernel, the following vulnerability has been resolved:
block: RCU protect disk->conv_zones_bitmap
Ensure that a disk revalidation changing the conventional zones bitmap of a disk does not cause invalid memory references when using the disk_zone_is_conv() helper by RCU protecting the disk->conv_zones_bitmap pointer.
disk_zone_is_conv() is modified to operate under the RCU read lock and the function disk_set_conv_zones_bitmap() is added to update a disk conv_zones_bitmap pointer using rcu_replace_pointer() with the disk zone_wplugs_lock spinlock held.
disk_free_zone_resources() is modified to call disk_update_zone_resources() with a NULL bitmap pointer to free the disk conv_zones_bitmap. disk_set_conv_zones_bitmap() is also used in disk_update_zone_resources() to set the new (revalidated) bitmap and free the old one.
{
"affected": [],
"aliases": [
"CVE-2024-57875"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-11T15:15:07Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: RCU protect disk-\u003econv_zones_bitmap\n\nEnsure that a disk revalidation changing the conventional zones bitmap\nof a disk does not cause invalid memory references when using the\ndisk_zone_is_conv() helper by RCU protecting the disk-\u003econv_zones_bitmap\npointer.\n\ndisk_zone_is_conv() is modified to operate under the RCU read lock and\nthe function disk_set_conv_zones_bitmap() is added to update a disk\nconv_zones_bitmap pointer using rcu_replace_pointer() with the disk\nzone_wplugs_lock spinlock held.\n\ndisk_free_zone_resources() is modified to call\ndisk_update_zone_resources() with a NULL bitmap pointer to free the disk\nconv_zones_bitmap. disk_set_conv_zones_bitmap() is also used in\ndisk_update_zone_resources() to set the new (revalidated) bitmap and\nfree the old one.",
"id": "GHSA-xr89-c9w4-g997",
"modified": "2025-10-17T15:30:55Z",
"published": "2025-01-11T15:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57875"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/493326c4f10cc71a42c27fdc97ce112182ee4cbc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d7cb6d7414ea1b33536fa6d11805cb8dceec1f97"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XR94-3HC5-534P
Vulnerability from github – Published: 2024-04-02 21:30 – Updated: 2024-04-02 21:30Foxit PDF Reader AcroForm Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the handling of Doc objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22800.
{
"affected": [],
"aliases": [
"CVE-2024-30352"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-02T21:15:47Z",
"severity": "HIGH"
},
"details": "Foxit PDF Reader AcroForm Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the handling of Doc objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22800.",
"id": "GHSA-xr94-3hc5-534p",
"modified": "2024-04-02T21:30:30Z",
"published": "2024-04-02T21:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30352"
},
{
"type": "WEB",
"url": "https://www.foxit.com/support/security-bulletins.html"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-335"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XR96-H2WC-75JF
Vulnerability from github – Published: 2022-05-24 17:18 – Updated: 2022-10-06 00:00Use after free in task scheduling in Google Chrome prior to 81.0.4044.129 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2020-6462"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-05-21T04:15:00Z",
"severity": "MODERATE"
},
"details": "Use after free in task scheduling in Google Chrome prior to 81.0.4044.129 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.",
"id": "GHSA-xr96-h2wc-75jf",
"modified": "2022-10-06T00:00:48Z",
"published": "2022-05-24T17:18:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6462"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_27.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1064891"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202005-13"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2020/dsa-4714"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.